Office (OLE) / .XLS malware analysis — malicious · 876a389b75c64370

MALICIOUS

Office (OLE) / .XLS

1.49 MB Created: 2002-01-18 02:38:26 Authoring application: Microsoft Excel

MD5: 62b9e31c61bbd2486898d2c10044c768 SHA-1: e13d9e56205d29baf1a6ff64e0e985852b985fb8 SHA-256: 876a389b75c643709a635031e783423f1fc27e8fac57e97ca7b7878c21e815b1

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus, specifically identified as 'Poppy by VicodinES' and associated with 'The Narkotic Network 1998'. The document body contains strings like 'Add New Workbook, Infect It, Save It As Book1.xls' and 'Infect Workbook', strongly suggesting the macro's purpose is to spread itself to other Excel files, likely within the xlstart directory. The presence of XLM macros points to the T1059.005 (Visual Basic) technique.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.